IBM Security Verify

 View Only

  • 1.  Use Front End Load Balancers on Webseal ISVAs, but still get real client IP

    Posted Thu December 16, 2021 08:17 AM
    Hi,
    I have set two ISVA 10.0.0.2 webseals, and wanted to use its Frontend Load Balancers, layer 4 mode.
    It works OK, but since these load balancers are actually reverse proxies (HAProxy) I am getting its IP addresses in request.log of webseals, and in iv-remote-address header that I am sending to backend servers.
    Can I have real client's IP addresses, in request.log, and in iv-remote-address (or any other) header that I am sending to backend servers?
    What should I set on LB, and what in webseald.conf?

    Thanks,

    Mita


  • 2.  RE: Use Front End Load Balancers on Webseal ISVAs, but still get real client IP

    Posted Thu December 16, 2021 08:26 AM
    Hi Mita,

    You will need to configure the load balancers to send send the real client IP address in an HTTP header.  Most common would be to send in X-Forwarded-For header.

    In WebSEAL configuration file, the following will cause it to use IP address from header instead of IP from network layer:

    #
# The following configuration entry is used to define the name of the HTTP
# header which contains the IP address of the client.  This IP address will be
# used as the client address in authorization decisions and auditing records.
# If no HTTP header is configured, or the configured HTTP header is missing
# from the HTTP request, or the contents of the HTTP header are incorrect,
# the client IP address of the connection itself will be used.
#
# For example:
#   client-ip-http-header = X-Forwarded-For
#
client-ip-http-header =​ X-Forwarded-For


    I hope that helps.

    Jon.



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Use Front End Load Balancers on Webseal ISVAs, but still get real client IP

    Posted Thu December 16, 2021 09:08 AM
    Hi Jon,

    Thanks for the answer.
    Well, this does not really help, but it may be my error.
    First of all, not sure how to set FELB to send header to webseal, but it may be like this:
    Next, client-ip-http-header is  an option under [aznapi-configuration] stanza, not sure if it influence either headers toward backend nor request.log. I believe something should go under [header-names], but it won't accept client-ip-http-header.
    Well, I've tested this way, and it does not work, for request.log or for header that is received by backend server, from webseal.

    Any other idea?

    Thanks,

    Mita


  • 4.  RE: Use Front End Load Balancers on Webseal ISVAs, but still get real client IP

    Posted Thu December 16, 2021 09:20 AM
      |   view attached
    Hi Mita,
    you have to configure the FELB (haproxy) in layer7 mode and configure  the parameter option_forward-for withe the value "header x-forwarded-for" under the advanced tuning of the virtual server

    ------------------------------
    Pietro Mosini
    IBM
    Rome
    ------------------------------

    Original Message


  • 5.  RE: Use Front End Load Balancers on Webseal ISVAs, but still get real client IP

    Posted Thu December 16, 2021 09:42 AM
    Hi Pietro,

    Thanks for the answer.
    I've configured it that way, it is just that my LB is configured as layer4. I think I can't go with layer7 (i have certificate based authentication and two way ssl between clients and webseals, so I need SSL terminated on webseals, not on LB)
    Actually can it work with SSL at all (x-forwarded-for)?
    I mean, this setup is actually migration/upgrade from TAM7 environment, where I was using dedicated WebSphere Edge LBs v4, so I would like to avoid them in the new setup.

    Mita


  • 6.  RE: Use Front End Load Balancers on Webseal ISVAs, but still get real client IP

    Posted Thu December 16, 2021 11:24 AM
    unfortunately the x-forwarded-for header it's only sent when the haproxy is configured in Layer 7 mode. However, there is a way to configure isam to perform client certificate authentication by take advantage of the secondary interface (see i.e. Configure ISAM to listen on multiple interfaces and ports) and create an EAI that perform the client certificate authentication  by using this secondary interface (i.e. same address different port or different address same port, it's up to you). In order to create an EAI for client certificate authentication by using the infomap mechanism you can take a look at this article https://community.ibm.com/community/user/security/blogs/shane-weeden1/2017/07/06/linking-client-certificates-to-an-isam-account
    Hope this help,
    P.

    ------------------------------
    Pietro Mosini
    IBM
    Rome
    ------------------------------

    Original Message


  • 7.  RE: Use Front End Load Balancers on Webseal ISVAs, but still get real client IP

    Posted Thu December 16, 2021 12:24 PM
    Hi Pietro,

    Thank you for the answer.

    I see, no way of using embedded FELB (HAProxy), have real client addres (for log and iv-remote-address header), and terminate SSL on webseals.
    I have certificate authentication already in place, kind of "old way" (I am not using AAC at all, just base module), as this is actually an upgrade/migration from TAM7.
    I think I will use some external Layer 4 LBs.​

    Thanks again,

    Mita